US-EU adequacy is a story much covered in the press, largely thanks to the disruptive efforts of Max Schrems. But the world is less familiar with Switzerland’s data protection negotiations with the EU, which resulted in the country’s New Federal Act on Data Protection (nFADP) being enacted on 1 September 2023. An update to the 1992 Federal Act on Data Protection, this new act marks a significant step forward in the safeguarding of its citizens’ personal information.
Why is this important?
This nFADP matters because Switzerland is the EU’s fourth largest trading partner, after China, the US, and the UK (and, in the other direction, the EU is the largest trading partner of the Swiss) (1). Switzerland also has an influence beyond the mere numbers because of its dominance in the banking, insurance and service sectors.
And what does this mean for companies operating with personal data throughout Europe? The good news is that companies which adopted the GDPR as a benchmark will notice only a few discernible differences, leading some to label Switzerland as adopting the GDPR, “but with a Swiss finish.” (2) .
The most significant difference however relates to the nFADP's treatment of juristic persons. While the 1992 FADP protected the personal data of legal entities, this is no longer the case under the newly enacted regulation.
For some organisations, the impact of this change is significant. If you are a corporation based in South Africa (where juristic persons are covered by privacy law) and you’re sending data to or from Switzerland, this could make a big difference to the way you handle data. And as Switzerland is the seventh biggest foreign investor in South Africa, with more than 100 Swiss companies employing around 50,000 individuals across these companies, lots of people and processes are likely to be affected. (3).
Operational impact: what you need to know
It is therefore important for organisations to get on the front foot, to recognise the operational implications and to take action as required. In comparing the nFADP with the GDPR, the table below provides a summary of the key areas where these regulations differ and highlights the operational impact.
Table 1: nFDAP versus GDPR comparison
Area | nFDAP | GDPR Comparison | Operational Impact |
Data Breach | Reporting required ASAP. | Reporting required within 72 hours. | Operational risk-based decision required which is dependent upon the personal data and systems your business uses: is 72 hours in Switzerland acceptable? |
Data Exports |
Adequacy determined by Swiss Federal Council. Can use EU SCCs for transfers. |
Adequacy determined by the European Commission (EC). Can use EU SCCs for transfers. |
Monitoring of the Swiss Federal Council adequacy list now required (in addition to the EC list). |
Data Protection Impact Assessment (DPIA) | Can consult with DPO (see below), or Swiss regulator. | Must consult your regulator in case of high risk after measures taken. | If your business has a number of high-risk processes, would the hiring of a Swiss DPO eliminate a need to frequently ask a regulator for DPIA approval? |
Data Protection Officer (DPO) | Not mandatory, is recommended. | Mandatory for public body, or if large scale, core systemic monitoring or large-scale use of sensitive personal data. | See DPIA point above. |
Fines | Up to CHF 250,000 against responsible private individuals. | Up to EUR 20 million, or 4% of company’s worldwide turnover. | Any individuals with governance responsibility for Switzerland need to be aware of this. |
Profiling | Must obtain consent for high-risk profiling only. | Must obtain consent. | Process to avoid risk of over-collecting consent in Switzerland (vs. EU). |
Sensitive Data |
Two new categories vs. the GDPR: -Data on administrative or criminal proceedings and sanctions -Data on social security measures. |
-Racial/ Ethnic origin -Political Opinions -Religious/ Philosophical beliefs -Trade Union membership -Processing genetic/ biometric data -Health data or data concerning a person’s sex life/ sexual orientation. |
Given the nFADP’s two new Sensitive Data Categories appear in a number of other data protection laws around the world, review your baseline Sensitive Data Categories in line with your business and geographical footprint. |
For an enterprise that processes large numbers of Data Protection Impact Assessments (DPIAs), there is a question of operational efficiency regarding consulting your regulator versus the cost of “insourcing” this review work by employing a Swiss Data Protection Officer (DPO). There is also the matter of updating DPIA templates to incorporate the two new sensitive data categories, which are increasingly common areas of privacy concern globally.
In summary, this could mean quite a bit of work to accommodate something that's supposed to be GDPR "with a Swiss finish"!
References:
(1) https://www.eeas.europa.eu/sites/default/files/str_eu-switzerlandnoifa_factsheet_final.pdf
(2) https://www.ey.com/en_ch/law/a-new-era-for-data-protection-in-switzerland-are-you-ready